Primary

Context

Grav CMS Cross-Site Scripting Vulnerability

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Grav CMS versions 1.7.46 through 1.7.48. This vulnerability allows authenticated users with editing privileges to execute arbitrary code by exploiting the onerror attribute of the img element.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, an authenticated user with permissions to edit pages can insert a script into the onerror attribute of an img element. When the image fails to load, the script will execute. This can be done through the admin interface by creating or editing a page and adding the malicious image tag.

Added: Jul 25, 2025, 8:56 PM

Updated: Jul 25, 2025, 8:56 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

6.5

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

6.5

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Grav CMS Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Grav

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating